152897 – CAN-2005-0089 python SimpleXMLRPCServer security issue

Bug 152897 - CAN-2005-0089 python SimpleXMLRPCServer security issue

Summary: CAN-2005-0089 python SimpleXMLRPCServer security issue

Keywords:
Status:	CLOSED DUPLICATE of bug 169235
Alias:	None
Product:	Fedora Legacy
Classification:	Retired
Component:	python
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Fedora Legacy Bugs
QA Contact:
Docs Contact:
URL:	http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:	1, LEGACY, NEEDSWORK, rh73, rh90
Depends On:	169235
Blocks:
TreeView+	depends on / blocked

Reported:	2005-02-10 18:55 UTC by Marc Deslauriers
Modified:	2007-04-18 17:22 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-09-28 06:51:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description David Lawrence 2005-03-30 23:31:21 UTC

The Python folks have discovered a flaw in SimpleXMLRPCServer that can
affect any XML-RPC servers.  This affects any programs have been written
that allow remote untrusted users to do unrestricted traversal and can
allow them to access or change function internals using the im_* and
func_* attributes.

Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0089
https://bugzilla.redhat.com/beta/show_bug.cgi?id=146645



------- Bug moved to this database by dkl 2005-03-30 18:31 -------

This bug previously known as bug 2421 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2421
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Michal Jaegermann 2005-09-26 06:00:14 UTC

Corresponding fixed Python packages were annouced in
http://rhn.redhat.com/errata/RHSA-2005-109.html which has classification
"Important".

Comment 2 Michal Jaegermann 2005-09-26 22:26:47 UTC

There is a package for RH7.3 at
ftp://ftp.harddata.com/pub/Legacy_packages/python2-2.2.2-11.7.3.1.legacy.src.rpm

These sources include a fix for CAN-2005-0089, and also for other SSL security
issues (lifted from updates to RHEL) and a fix for pcre issues (CAN-2005-2491,
#169235).

Neither python-1.5.2-... packages, nor python-xmlrpc-1.5.1-7.x.3, for RH7.3
seem to be affected by CAN-2005-0089.  It does not look that the code in
question, or something similar, is there.

For other distributions it seems that a fix for CAN-2005-0089 will be
either the same or very similar as applied here.  In any case a code from
corresponding RHEL update sources will apply.

Comment 3 David Eisenstein 2005-09-27 06:14:15 UTC

(Michal and Jim - hope you don't mind my adding you to the cc: for this bug.)

Since Michal has proposed the python2-2.2.2-11.7.3.1.legacy.src.rpm packages as
a fix not only for the this bug report's issue, but also for the CAN-2005-2491
pcre issue (handled in Bug #169235), I suggest we re-title 169235 to be
"CAN-2005-0089 CAN-2005-2491 python multiple security issues" and continue all
work on CAN-2005-0089 there.  We can make this bug report's success depend on
that one.

That way we can track all of python's pending security issues in one bug report
rather than two.  Would you mind changing the title of 169235, Jim?

Comment 4 Jim Popovitch 2005-09-27 15:05:47 UTC

David, Thank you for adding me to this bug.  For the record I would rather be
added than deleted. ;-)

I have renamed 169235 as you proposed.

Comment 5 Pekka Savola 2005-09-28 06:51:44 UTC

I'm closing this bug if we continue tracking on #169235.

*** This bug has been marked as a duplicate of 169235 ***

Note You need to log in before you can comment on or make changes to this bug.